Mobile Threat Monday: Know What the App Does

This week's Mobile Threat Monday list is a bit of a grab bag, with unnecessary permissions, phone numbers leaked, and a company issuing vague warnings of potential problems. As always, SecurityWatch recommends you consider what the apps do and make an informed decision about keeping or removing the app.

As always, SecurityWatch recommends you consider what the apps do and make an informed decision about keeping or removing the app.

[1] Iron Man 3 Live WallpaperIron Man 3 Live Wallpaper lets users download sticker widgets for the home screen, display Iron Man as the wallpaper, and animate Iron Man's Arc Reactor to show your device's battery status. "He's perfectly patriotic, so wave your device with Iron Patriot set to your homescreen in the air during the fireworks displays at all of the Independence Day festivities!" reads the description on Google Play.

The wallpaper app also requests two permissions related to your text messages—one to access your text messages and the other to read your text messages. "You may consider this inappropriate, depending on the app," BitDefender warns.

It appears the wallpaper will "repulsor blast you a head's up" to notify you when you receive a text message. SecurityWatch leaves it up to the reader to decide whether that is necessary functionality for a wallpaper.

[2] Facebook for AndroidThe official Facebook for Android app is leaking your phone number without your permission, Symantec said last week.

Symantec's new Norton Mobile Insight tool flagged the official Facebook application for transfering the device phone number without user permission. It turns out that the first time a user launched the Facebook app—even before the user has even logged into the social network—the app sent the device phone number to Facebook servers. Even if you didn't have a Facebook account, if your phone came with the app pre-installed and you accidentally launched it, off went your phone number.

Facebook told Symantec the issue will be fixed in the next update.

[3] PokeCreatorWatch out for your Pokemon! PokeCreator from developer TCHU lets you create custom Pokemon and wirelessly send them to your consoles to use in various Pokemon games. According to the description on Google Play, the app claims to be compatible with Pokémon Black 2/White 2, Black/White, HeartGold/SoulSilver, Diamond/Pearl and Platinium. Nintendo over the weekend warned in a Japanese statement that characters created with app conflicted with certain games and software.

Nintendo will not restore systems damaged by using the custom characters, the company said. We have yet to hear of cases where Nintendo DS or 3DS consoles were damaged because of custom Pokemon created by PokeCreator, though. Just know the risks before you plunk down that $0.99 for the app.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »